Application Serial No. 10/072,683 
Attorney Docket No. 0023-0209 

Amendments to the Claims: 

This listing of claims will replace all prior versions, and listing, of claims in the application: 
Listing of Claims: 

1 . (currently amended) A method for detecting and preventing security breaches in a 
network traffic , the method comprising: 

reassembling a plurality of TCP packets in the network traffic into a TCP stream; 
inspecting the TCP stream to detect information indicative of a security br e ach e s 

breach ; 

dropping a TCP packet from the TCP stream if the TCP stream contains information 
indicative of a security breaches breach ; and 

forwarding a TCP packet from the TCP stream to a network destination if the TCP 
stream does not contain information indicative of a security br e ach e s breach, 

wherein inspecting the TCP stream to detect information indicative of a security breach 
comprises: 

storing a plurality of protocol specifications supported by the network in a protocol 
database; and 

querying the protocol database to determine whether the plurality of TCP packets are 
compliant with one or more of the plurality of protocol specifications in the protocol database. 

2. (original) The method of claim 1, wherein inspecting the TCP stream to detect 
information indicative of security breaches comprises inspecting the TCP stream for protocol 
irregularities. 
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3. (currently amended) The method of claim 1, wherein inspecting the TCP stream to 
detect information indicative of a security br e ach e s breach comprises searching the TCP 
stream for attack signatures. 

4. (original) The method of claim 3, wherein searching the TCP stream for attack 
signatures comprises using statefiil signature detection. 

5. (currently amended) The method of claim 1, wherein inspecting the TCP stream to 
detect information indicative of a security breach e s breach comprises using a plurality of 
network intrusion detection methods. 

6. (original) The method of claim 5, wherein the plurality of network intrusion 
detection methods comprises at least protocol anomaly detection. 

7. (original) The method of claim 5, wherein the plurality of network intrusion 
detection methods comprises at least signature detection. 

8. (original) The method of claim 1, further comprising grouping the plurality of TCP 
packets into packet flows and sessions. 

9. (currently amended) The method of claim [[1]] 8, further comprising storing the 
packet flows in packet flow descriptors. 
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10. (original) The method of claim 9, further comprising searching the packet flow 
descriptors for traffic signatures. 

11. (original) The method of claim 9, wherein inspecting the TCP stream comprises 
searching for a network attack identifier in the TCP stream based on the packet flow 
descriptors and sessions associated with the TCP stream. 

12. (original) The method of claim 11, wherein the network attack identifier comprises 
a protocol irregularity. 

13. (original) The method of claim 11, wherein the network attack identifier comprises 
an attack signature. 

14. (original) The method of claim 1 1, wherein the network attack identifier comprises 
a plurality of network attack identifiers. 

15. (original) The method of claim 14, wherein the plurality of network attack 
identifiers comprises at least a protocol irregularity. 

16. (original) The method of claim 14, wherein the plurality of network attack 
identifiers comprises at least an attack signature. 
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17. (currently amended) The method of claim 13, wherein the attack signatures 
signature and the traffic signatures are stored in a signatures database. 

18. (currently amended) A method for detecting and preventing security breaches in a 
network, the method comprising: 

reassembling a plurality of TCP packets into a TCP stream; 

inspecting the TCP stream to detect information indicative of a security breach; 

dropping a TCP packet from the TCP stream if the TCP stream contains information 
indicative of a security breach; 

forwarding a TCP packet from the TCP stream to a network destination if the TCP 
stream does not contain information indicative of a security breach, 

grouping the plurality of TCP packets into packet flows and sessions. The method of 
claim 8 , wherein grouping the plurality of TCP packets into packet flows and sessions 
comprises storing the packet flows and sessions in a hash table. 

19. (currently amended) The method of claim 18, wherein storing the packet flows and 
sessions in a hash table comprises computing a hash value from a 5 -tuple consisting of: 
comprising a source IP address; a destination IP address; a source port; a destination port; and 
a protocol type. 

20. (canceled) 



5 



Application Serial No. 10/072,683 
Attorney Docket No. 0023-0209 

21. (currently amended) The method of claim 3, wherein searching the TCP stream for 
attack signatures comprises querying a [[the]] signatures database to determine whether there 
are matching signatures in the TCP stream. 

22. (currently amended) A method for detecting and preventing security breaches in a 
network, the method comprising: 

reassembling a plurality of TCP packets into a TCP stream; 

inspecting the TCP stream to detect information indicative of a security breach; 

dropping a TCP packet from the TCP stream if the TCP stream contains information 
indicative of a security breach; 

forwarding a TCP packet from the TCP stream to a network destination if the TCP 
stream does not contain information indicative of a security breach, wherein inspecting the 
TCP stream to detect information indicative of a security breach comprises: 

querying a signatures database to determine whether there are matching signatures in 
the TCP stream The method of claim 2L wh e r e in determining wh e th e r th e re are matching 
signatures in th e TCP str e am compris e s using DFA deterministic finite automata for pattern 
matching. 

23. (original) The method of claim 1 5 further comprising reconstructing the plurality of 
TCP packets from a plurality of packet fragments. 

24. (currently amended) A system for detecting and preventing security breaches in a 
network traffic , the system comprising: 
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a TCP reassembly software module for reassembling a plurality of TCP packets in the 
network traffic into a TCP stream; 

a software module for inspecting the TCP stream to detect information indicative of a 
security br e ach e s breach; 

a software module for dropping a TCP packet from the TCP stream if the TCP stream 
contains information indicative of a security br e aches breach ; and 

a software module for forwarding a TCP packet from the TCP stream to a network 
destination if the TCP stream does not contain information indicative of a security br e ach e s 
breach , 

wherein the software module for inspecting the TCP stream comprises at least a 
protocol anomaly detection software module, the protocol anomaly detection software module 
comprising: 

a routine for storing a plurality of protocol specifications supported by the network in a 
protocol database, and 

a routine for querying the protocol database to determine whether the plurality of TCP 
packets are compliant with one or more of the plurality of protocol specifications in the 
protocol database . 

25. (original) The system of claim 24, further comprising an IP defragmentation 
software module for reconstructing a plurality of packet fragments into the plurality of TCP 
packets. 
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26. (original) The system of claim 24, further comprising a flow manager software 
module for grouping the plurality of TCP packets into packet flows and sessions. 

27. (currently amended) A system for detecting security breaches in a network, the 
system comprising: 

a TCP reassembly software module for reassembling a plurality of TCP packets 
network traffic into a TCP stream; 

a software module for inspecting the TCP stream to detect information indicative of a 
security breach; 

a software module for dropping a TCP packet from the TCP stream if the TCP stream 
contains information indicative of a security breach; 

a software module for forwarding a TCP packet from the TCP stream to a network 
destination if the TCP stream does not contain information indicative of a security breach; and 

a flow manager software module for grouping the plurality of TCP packets into packet 
flows and sessions. The syst e m of claim 26, wherein the flow manager software module 
comprises a routine for storing the packet flows and sessions into a hash table. 

28. (original) The system of claim 27, wherein the routine for storing the packet flows 
and sessions into a hash table comprises a routine for storing the packet flows in packet flow 
descriptors. 

29. (currently amended) The system of claim 27, wherein the routine for storing the 
packet flows and sessions into a hash table comprises a routine for computing a hash value 
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from a 5-tuple consisting of: comprising a source IP address; a destination IP address; a source 

port; a destination port; and a protocol type. 

30. (canceled) 

31. (currently amended) The system of claim 24, wherein the software module for 
inspecting the TCP stream to detect information indicative of a security br e aches breach 
comprises a stateful signature detection software module. 

32. (original) The system of claim 28, further comprising a traffic signature detection 
software module for searching the packet flow descriptors for traffic signatures. 

33. (currently amended) The system of claim 24, wherein the software module for 
inspecting the TCP stream for information indicative of a security br e ach e s breach comprises a 
plurality of software modules. 

34. (canceled) 

35. (original) The system of claim 33, wherein the plurality of software modules 
comprises at least a stateful signature detection software module. 

36. (canceled) 
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37. (currently amended) The system of claim [[36]] 24, wherein the protocol 
specifications comprise specifications of one or more of: TCP protocol; HTTP protocol; SMTP 
protocol; FTP protocol; NETBIOS protocol; IMAP protocol; POP3 protocol; TELNET 
protocol; IRC protocol; RSH protocol; REXEC protocol; and RCMD protocol. 

38. (original) The system of claim 35, wherein the stateful signature detection software 
module comprises a routine for querying a signatures database to determine whether there are 
matching attack signatures in the TCP stream. 

39. (currently amended) A system for detecting and preventing security breaches in a 
network, the system comprising: 

a TCP reassembly software module for reassembling a plurality of TCP packets in 
network traffic into a TCP stream; 

a software module for inspecting the TCP stream to detect information indicative of a 
security breach; 

a software module for dropping a TCP packet from the TCP stream if the TCP stream 
contains information indicative of a security breach; and 

a software module for forwarding a TCP packet from the TCP stream to a network 
destination if the TCP stream does not contain information indicative of a security breach, 
wherein the software module for inspecting the TCP stream to detect information indicative of 
a security breach comprises a stateful signature detection software module, the stateful 
signature detection software module comprising: 
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a routine for querying a signatures database to determine whether there are matching 
attack signatures in the TCP stream Th e syst e m of claim 38, wherein th e routine compris e s 
using G¥A deterministic finite automata for pattern matching. 

40. (currently amended) The system of claim 24 ? further comprising: 

a routine for collecting a plurality of security logs and alarms recording information 
about security breaches found in the TCP stream; 

a routine for storing a network security policy identifying the network traffic to inspect 
and a plurality of network attacks to be detected and prevented; 

a routine for distributing the network security policy to one or more gateway points in 
the network; and 

a routine for updating the protocol database and [[the]] a signatures database. 

41. (original) The system of claim 24, further comprising a graphical user interface 
comprising: 

a routine for displaying network security information to network security 
administrators; and 

a routine for specifying a network security policy. 

42. (currently amended) A system for detecting and preventing security breaches in a 
network traffic , the system comprising: 

a network intrusion detection and prevention sensor plac e d located in a network 
gateway, wherein the network intrusion detection and prevention sensor comprises: 



11 



Application Serial No. 10/072 5 683 
Attorney Docket No. 0023-0209 

a routine for reassembling a plurality of TCP packets into a TCP stream; 

a software module for inspecting the TCP stream to detect information 

indicative of a security breach e s breach, wherein inspecting the TCP stream to detect 

information indicative of a security breach comprises: 

storing a plurality of protocol specifications supported by the network in 

a protocol database, and 

querying the protocol database to determine whether the plurality of 

TCP packets are compliant with one or more of the plurality of protocol specifications 

in the protocol database ; 

a software module for dropping a TCP packet from the TCP stream if the TCP 

stream contains information indicative of a security br e ach e s breach ; and 

a software module for forwarding a TCP packet from the TCP stream to a 

network destination if the TCP stream does not contain information indicative of a security 

breach e s breach ; 

a central management server to control the network intrusion detection and prevention 
sensor; and 

a graphical user interface for configuring the network intrusion detection and 
prevention sensor. 

43. (currently amended) The system of claim 42, wherein the network intrusion 
detection and prevention sensor is placed insid e located within a firewall. 
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44. (currently amended) The system of claim 42, wherein the network intrusion 
detection and prevention sensor is plac e d located outside a firewall. 

45. (original) The system of claim 42, wherein the network intrusion detection and 
prevention sensor further comprises an IP defragmentation software module for reconstructing 
a plurality of packet fragments into the plurality of TCP packets. 

46. (currently amended) The system of claim 42, wherein the network intrusion 
detection and prevention sensor further comprises an IP router software module for routing a 
TCP packet from the TCP stream if the TCP stream does not contain information indicative of 
a network security br e ach e s breach through the network. 

47. (original) The system of claim 42, wherein the network intrusion detection and 
prevention sensor further comprises a flow manager software module for grouping the plurality 
of packets into packet flows and sessions. 

48. (original) The system of claim 47, wherein the flow manager software module 
comprises a routine for storing the packet flows in packet flow descriptors. 

49. (currently amended) The system of claim 42, wherein the software module for 
inspecting information indicative of a security breach e s breach comprises a protocol anomaly 
detection software module. 
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50. (original) The system of claim 42, wherein the software module for inspecting 
information indicative of security breaches comprises a stateful signature detection software 
module. 

51 . (original) The system of claim 48, further comprising a traffic signature detection 
software module for searching the packet flow descriptors for traffic signatures. 

52. (currently amended) The system of claim 42, wherein the software module for 
inspecting information indicative of a security br e ach e s breach comprises a plurality of 
software modules. 

53. (original) The system of claim 52, wherein the plurality of software modules 
comprises at least a protocol anomaly detection software module. 

54. (original) The system of claim 52, wherein the plurality of software modules 
comprises at least a stateful signature detection software module. 

55. (original) The system of claim 42, wherein the central management server 
comprises: 

a routine for collecting a plurality of security logs and alarms recording information 
about security breaches found in the TCP stream; 

a routine for storing a network security policy identifying the network traffic to inspect 
and a plurality of network attacks to be detected and prevented; and 
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a routine for distributing the network security policy to the network intrusion detection 

and prevention sensor. 

56. (original) The system of claim 42, wherein the graphical user interface comprises: 
a routine for displaying network security information to network security 

administrators; 

a routine for displaying status information on the network intrusion detection and 
prevention sensor; and 

a routine for specifying a network security policy. 

57. (currently amended) A network intrusion detection and prevention sensor for 
detecting and preventing network security breaches at a network gateway, the network 
intrusion detection and prevention sensor comprising: 

a flow manager software module for grouping a plurality of packets into packet flows 
and sessions; 

a TCP reassembly software module for reassembling a plurality of TCP packets from 
the plurality of packets into a TCP stream; 

a software module for inspecting the TCP stream according to the packet flows and 
sessions to detect information indicative of a security br e ach e s breach, wherein inspecting the 
TCP stream to detect information indicative of a security breach comprises: 

storing a plurality of protocol specifications supported by the network in a 
protocol database, and 

querying the protocol database to determine whether the plurality of TCP 
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packets are compliant with one or more of the plurality of protocol specifications in the 

protocol database ; 

a software module for dropping a packet from the plurality of packets if the TCP stream 
contains information indicative of a security breaches breach ; and 

a software module for forwarding a packet from the plurality of packets to a network 
destination if the TCP stream does not contain information indicative of a security breach e s 
breach . 

58. (original) The network intrusion detection and prevention sensor of claim 57, further 
comprising an IP defragmentation software module for reconstructing a plurality of packet 
fragments into the plurality of TCP packets. 

59. (currently amended) The network intrusion detection and prevention sensor of 
claim 57, wherein the network intrusion detection and prevention sensor further comprises an 
IP router software module for routing a TCP packet from the TCP stream if the TCP stream 
does not contain information indicative of a network security br e aches breach through the 
network. 

60. (original) The network intrusion detection and prevention sensor of claim 57, 
wherein the network intrusion detection and prevention sensor is controlled by a network 
security policy specifying the network traffic to inspect and a plurality of network attacks to be 
detected and prevented. 



16 



Application Serial No. 10/072,683 
Attorney Docket No. 0023-0209 

61. (original) The network intrusion detection and prevention sensor of claim 60, 
wherein the network security policy is defined by a network security administrator using a 
graphical user interface. 

62. (original) The network intrusion detection and prevention sensor of claim 57, 
wherein the graphical user interface comprises: 

a routine for displaying network security information to network security 
administrators; 

a routine for displaying status information on the network intrusion detection and 
prevention sensor; and 

a routine for specifying the network security policy. 

63. (original) The network intrusion detection and prevention sensor of claim 60, 
wherein the security policy is stored and distributed to the network intrusion detection and 
prevention sensor by a central management server. 

64. (original) The network intrusion detection and prevention sensor of claim 63, 
wherein the central management server comprises a routine for collecting a plurality of 
security logs and alarms recording information about security breaches found in the TCP 
stream. 

65. (currently amended) The network intrusion detection and prevention sensor of 
claim 57, wherein the software module for inspecting the TCP stream according to the packet 
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flows and sessions to detect information indicative of a security breach e s breach comprises a 

protocol anomaly detection software module. 

66. (currently amended) The network intrusion detection and prevention sensor of 
claim 57, wherein the software module for inspecting the TCP stream according to the packet 
flows and sessions to detect information indicative of a security breach e s breach comprises a 
stateful signature detection software module. 

67. (currently amended) The network intrusion detection and prevention sensor of 
claim 58, wherein the software module for inspecting the plurality of packets according to the 
packet flows and sessions to detect information indicative of a security br e ach e s breach 
comprises a plurality of software modules. 

68. (original) The network intrusion detection and prevention sensor of claim 67, 
wherein the plurality of software modules comprises at least a protocol anomaly detection 
software module. 

69. (original) The network intrusion detection and prevention sensor of claim 67, 
wherein the plurality of software modules comprises at least a stateful signature detection 
software module. 
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